In my opinion, the system should be safe, consistent, and correct regardless of the number of times it is remediated.
If that requires changing more than just what the checks cover, that is appropriate but should be documented as such. Trevor On Tue, Feb 12, 2019 at 11:50 AM Marek Haicman <[email protected]> wrote: > Hello everyone, > we have currently stumbled upon situation, where Ansible remediation > snippet can either fix 3 different rules at once, or be very convoluted. > Technical details aside [1] - what is your view of such approach? > > * Is it ok when remediation does change more than the rule that > triggered it checks? > * Do you prefer to have no remediation at all, to the remediation that > does too much? > * Does answer to the questions above change between (--remediate) which > is applied automatically, and bash roles or ansible playbooks, where you > can check insides of the scripts and alter them before application? > > > Thanks! > Marek > > [1] > > https://github.com/ComplianceAsCode/content/pull/3723#issuecomment-462747526 > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
